b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  The Computer Security Incident Response\n                   Center Is Effectively Performing Most of\n                       Its Responsibilities, but Further\n                          Improvements Are Needed\n\n\n\n                                          March 12, 2012\n\n                              Reference Number: 2012-20-019\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document..\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                HIGHLIGHTS\n\n\nTHE COMPUTER SECURITY INCIDENT                      the Treasury, as required. Finally, incident\nRESPONSE CENTER IS EFFECTIVELY                      response policies, plans, and procedures are\nPERFORMING MOST OF ITS                              either nonexistent or are inaccurate and\nRESPONSIBILITIES, BUT FURTHER                       incomplete.\nIMPROVEMENTS ARE NEEDED                             WHAT TIGTA RECOMMENDED\n                                                    TIGTA recommended that the Assistant Chief\nHighlights                                          Information Officer, Cybersecurity, direct the\n                                                    CSIRC to 1) develop its Cybersecurity Data\nFinal Report issued on March 12, 2012               Warehouse capability to correlate and reconcile\n                                                    active servers connected to the IRS network\nHighlights of Reference Number: 2012-20-019         with servers monitored by the host-based\nto the Internal Revenue Service Chief               intrusion detection system; 2) revise and expand\nTechnology Officer.                                 the Memorandum of Understanding with the\n                                                    TIGTA Office of Investigations to ensure all\nIMPACT ON TAXPAYERS                                 reportable and relevant security incidents are\n                                                    shared with the CSIRC; 3) collaborate with the\nThe Computer Security Incident Response             TIGTA Office of Investigations to create\nCenter (CSIRC) is responsible for monitoring the    common identifiers to help the CSIRC reconcile\nIRS network 24 hours a day year-round for           its incident tracking system with the TIGTA\ncyberattacks and computer vulnerabilities and       Office of Investigations\xe2\x80\x99 incident system;\nfor responding to various computer security         4) develop a standalone incident response\nincidents such as the theft of a laptop computer.   policy or update the policy in the IRS\xe2\x80\x99s Internal\nTaxpayers are impacted when IRS network             Revenue Manual with current and complete\ndisruptions prevent the IRS from performing vital   information; 5) develop an incident response\ntaxpayer services such as processing tax            plan; and 6) develop, update, and formalize all\nreturns, issuing refunds, and answering taxpayer    critical standard operating procedures.\ninquires.\n                                                    The IRS agreed with the recommendations and\nWHY TIGTA DID THE AUDIT                             corrective actions are planned or in process for\nThe overall objective of this review was to         five of the six recommendations. Although the\nevaluate the effectiveness of the CSIRC at          IRS agreed with the recommendation to\npreventing, detecting, reporting, and responding    correlate and reconcile active servers connected\nto computer security incidents targeting IRS        to the IRS network with servers monitored by the\ncomputers and data. TIGTA included this audit       host-based intrusion detection system, its\nin its Fiscal Year 2011 Annual Audit Plan to help   proposed corrective actions do not address the\nfulfill its statutory requirement to review the     recommendation. Specifically, the IRS did not\nadequacy and security of IRS technology. This       commit to implementing the controls we\nreview addresses the major management               recommended.\nchallenge of Security for Taxpayer Data and\nEmployees.\nWHAT TIGTA FOUND\nThe CSIRC is effectively performing most of its\nresponsibilities for preventing, detecting, and\nresponding to computer security incidents.\nHowever, further improvements could be made.\nThe CSIRC\xe2\x80\x99s host-based intrusion detection\nsystem is not monitoring 34 percent of IRS\nservers, which puts the IRS network and data at\nrisk. In addition, the CSIRC is not reporting all\ncomputer security incidents to the Department of\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 12, 2012\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Computer Security Incident Response Center\n                             Is Effectively Performing Most of Its Responsibilities, but Further\n                             Improvements Are Needed (Audit # 201120012)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) Computer\n Security Incident Response Center (CSIRC). The overall objective of this review was to\n evaluate the effectiveness of the CSIRC at preventing, detecting, reporting, and responding to\n computer security incidents targeting IRS computers and data. This audit was included in the\n Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2011 Annual Audit Plan and\n was part of our statutory requirement to annually review the adequacy and security of IRS\n technology. This review addresses the major management challenge of Security for Taxpayer\n Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\x0c                    The Computer Security Incident Response Center Is Effectively\n                   Performing Most of Its Responsibilities, but Further Improvements\n                                             Are Needed\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Computer Security Incident Response Center Is\n          Effectively Performing Most of Its Responsibilities and\n          Has Sufficient Tools and Training to Accomplish Its Mission..................... Page 3\n          The Computer Security Incident Response Center Does Not\n          Administer and Monitor the Host-Based Intrusion Detection\n          System for All Deployed Servers ................................................................. Page 5\n                    Recommendation 1:.......................................................... Page 7\n\n          The Computer Security Incident Response Center Is Not\n          Reporting All Computer Security Incidents to the Department\n          of the Treasury .............................................................................................. Page 8\n                    Recommendations 2 and 3: .............................................. Page 10\n\n          The Computer Security Incident Response Center Has\n          Not Developed Adequate Policies, Plans, and Procedures ........................... Page 11\n                    Recommendations 4 and 5: .............................................. Page 12\n\n                    Recommendation 6:........................................................ Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Computer Security Incident Response Center\n          Lifecycle for Managing Security Incidents................................................... Page 20\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 21\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 25\n\x0c         The Computer Security Incident Response Center Is Effectively\n        Performing Most of Its Responsibilities, but Further Improvements\n                                  Are Needed\n\n\n\n\n                         Abbreviations\n\nCSIRC              Computer Security Incident Response Center\nHIDS               Host-Based Intrusion Detection System\nIRM                Internal Revenue Manual\nIRS                Internal Revenue Service\nMITS               Modernization and Information Technology Services\nNIST               National Institute of Standards and Technology\nTIGTA              Treasury Inspector General for Tax Administration\n\x0c                 The Computer Security Incident Response Center Is Effectively\n                Performing Most of Its Responsibilities, but Further Improvements\n                                          Are Needed\n\n\n\n\n                                          Background\n\nCybersecurity incidents are computer-related threats or attacks against an organization\xe2\x80\x99s\ncomputer systems.1 The Government Accountability Office testified2 to Congress that pervasive\nand sustained cyberattacks continue to pose a potentially devastating threat to the systems and\noperations of the Federal Government. Cyberthreats to Federal systems can come from a variety\nof sources, including criminals and foreign Nations, as well as hackers and disgruntled\nemployees. These potential attackers have a variety of techniques at their disposal, which can\nenhance the reach and impact of their actions. For example, cyberattackers do not need to be\nphysically close to the targets, their attacks can easily cross State and national borders, and\ncyberattackers can easily preserve their anonymity.\nThe U.S. Department of Energy Inspector General recently reported that exploitation of\nvulnerabilities could cause significant disruption to operations and increase the risk that sensitive\ndata could be changed or stolen.3 The Department of Energy also said that recovery from\ncyberattacks can be very costly. For example, three recent cyberattacks at different locations cost the\nDepartment of Energy over $2 million. In another example, a senior Department of Defense\nofficial reported that 24,000 electronic files were stolen in a cyberattack on the Pentagon in\nMarch 2011. The official said that the cyberexploitation perpetrated against the defense\nindustry cuts across a wide swath of crucial military hardware, ranging from missile tracking\nsystems to satellite navigation devices, and that any theft of design data or engineering\ninformation undermines the technological edge we hold over our potential adversaries.\nMany cyberattacks can be traced back to the discovery of new security vulnerabilities identified\nby security researchers or vendors. Attackers will subsequently engineer exploit code and then\nlaunch that code against targets of interest. As a result, any significant delays in finding or fixing\nsoftware with critical vulnerabilities provide ample opportunity for attackers to break through,\ngaining control over the vulnerable machines and getting access to the sensitive data they\ncontain.\nTo combat cyberthreats to its computer systems as well as computer-related security incidents\nsuch as loss or theft of laptop computers and employees\xe2\x80\x99 improper use of computers, the Internal\nRevenue Service (IRS) established the Computer Security Incident Response Center (CSIRC) in\nthe Modernization and Information Technology Services (MITS) organization in February 2001.\n\n\n1\n  See Appendix V for a Glossary of Terms.\n2\n  Government Accountability Office, GAO-10-834T, Continued Attention Is Needed to Protect Federal Information\nSystems From Evolving Threats p. 1 (June 16, 2010).\n3\n  U.S. Department of Energy, DOE/IG-0856, The Department\xe2\x80\x99s Unclassified Cyber Security Program \xe2\x80\x93 2011, p. 8\n(Oct. 2011).\n                                                                                                      Page 1\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\nThe CSIRC\xe2\x80\x99s mission is to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are\norganized, trained, and equipped to identify and eradicate cyberthreats. One of the primary\nduties of the CSIRC is to perform 24-hour monitoring and support to IRS operations, seven days\na week, 365 days a year.\nSimilar to what the Government Accountability Office found, the IRS has experienced an\nincrease in the number of computer security incidents and\nthreats. In Calendar Year 2010, the IRS detected\n2,768 computer security incidents and threats, which             The IRS detected over\nrepresent a 22 percent increase over each of the past           2,700 computer security\n                                                                    incidents during\ntwo years. The incidents and threats increase the risks to IRS    Calendar Year 2010.\noperations, the administration of our Nation\xe2\x80\x99s tax system, and\nthe privacy of taxpayers\xe2\x80\x99 sensitive information.\nThe CSIRC\xe2\x80\x99s 31 employees and 23 contractors are divided among three groups.\n   \xef\x82\xb7   Operations \xe2\x80\x93 This group monitors the network and reports security incidents. It also\n       sends security notifications to the IRS business units and system owners.\n   \xef\x82\xb7   Technical Team \xe2\x80\x93 This group deploys, operates, and maintains the security tools and\n       applications required to support the cyberincident response capabilities.\n   \xef\x82\xb7   Emerging Threats \xe2\x80\x93 This group helps plan for and respond to emerging threats and\n       computer security incidents targeting information technology assets. It also identifies\n       cyberthreats based on geographic region, country, group, and individual.\nThe CSIRC must also rely on employees in other MITS functions to perform critical security\nprevention and detection activities for the IRS. For example, the CSIRC must rely on the\nEnterprise Operations function to install host-based intrusion detection system (HIDS) software\non servers so that the CSIRC may properly monitor all servers on the network. The Enterprise\nOperations function is also responsible for installing security patches on servers, which protect\nservers from the most up-to-date cyberthreats.\nThis review was performed at the offices of the MITS organization and its CSIRC in\nNew Carrollton, Maryland. We performed the review during the period March through\nSeptember 2011. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n                                                                                           Page 2\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n\n                                 Results of Review\n\nThe Computer Security Incident Response Center Is Effectively\nPerforming Most of Its Responsibilities and Has Sufficient Tools and\nTraining to Accomplish Its Mission\nThe IRS has assigned most of the computer security incident-related services recommended by\nthe National Institute for Standards and Technology (NIST) and the Carnegie Mellon Software\nEngineering Institute to the CSIRC. Other IRS functions are assigned some of the recommended\nservices and responsibilities, which is common in large organizations according to the Carnegie\nMellon Institute. For example, the Security Risk Management function in the MITS\nCybersecurity office is responsible for conducting network scans that identify all missing\nsecurity patches. The Security Control Testing and Evaluation group in this function conducts\nnetwork vulnerability scanning at the operating system level, database scanning, and web\nscanning. We focused our review on the responsibilities performed by the CSIRC. These\nresponsibilities fit into four overall categories. See Appendix IV for a chart of all functions and\nresponsibilities assigned to the CSIRC.\n   \xef\x82\xb7   Detection \xe2\x80\x93 includes monitoring the network and the HIDS.\n   \xef\x82\xb7   Response \xe2\x80\x93 includes performing forensic analysis of security incidents and security event\n       triage.\n   \xef\x82\xb7   Reporting \xe2\x80\x93 includes performing trending and analysis and reporting security incidents\n       and events to IRS executives and the Department of the Treasury CSIRC (hereafter\n       referred to as the Treasury CSIRC).\n   \xef\x82\xb7   Prevention \xe2\x80\x93 includes outreach and awareness activities to IRS business units and issuing\n       security notifications.\nDetection Responsibilities \xe2\x80\x93 The CSIRC is effectively performing its responsibilities to detect\ncomputer security incidents. For example, the CSIRC reviews and approves firewall change\nrequests in accordance with IRS procedures. The CSIRC also maintains a Network-Based\nIntrusion Detection System that includes 27 sensors stationed throughout the IRS. Multiple\nsensors are placed in the IRS\xe2\x80\x99s three computing centers, and at least one server is located at each\nof the IRS\xe2\x80\x99s 10 campuses. CSIRC management has recognized the need for further expansion\nand plans to add additional sensors on the network, which will increase monitoring capability at\nthe current sites, and expand coverage to additional office locations. The CSIRC also effectively\nreviews the Internet usage log files to identify violations of the IRS\xe2\x80\x99s Internet Usage Policy and\nappropriately notifies the Treasury Inspector General for Tax Administration (TIGTA) Office of\n\n                                                                                            Page 3\n\x0c                 The Computer Security Incident Response Center Is Effectively\n                Performing Most of Its Responsibilities, but Further Improvements\n                                          Are Needed\n\n\n\nInvestigations or IRS Labor Relations when necessary. Lastly, CSIRC analysts block any\nmalicious or inappropriate websites upon discovery.\nResponse Responsibilities \xe2\x80\x93 The CSIRC also effectively responds to computer security\nincidents. When addressing incidents, CSIRC employees adhere to the Department of the\nTreasury incident handling guidelines,4 which outline procedures for incident preparation,\nidentification, containment, eradication, recovery, and follow-up. For example, when a laptop is\nlost or stolen, CSIRC analysts disable the employee\xe2\x80\x99s grid card and ensure the employee changes\nhis or her password. The analysts use a checklist that enumerates everything that must be\ncompleted when addressing this type of incident. Further, the CSIRC conducts post-mortems for\nsignificant events and develops corrective actions for lessons learned. For example, during the\nCSIRC\xe2\x80\x99s response to the Conficker worm, the IRS had to remove thousands of computers from\nthe network to contain the virus. The CSIRC recognized that the IRS helpdesk personnel needed\nassistance getting computers back online. To streamline this process, CSIRC analysts created a\nProbe and Response Guide to assist the helpdesk personnel with containing any contamination\ncaused by the virus and restoring computers to the network. The CSIRC has implemented most\nof the corrective actions identified through its formal lessons-learned process, and those that\nremain outstanding require more complicated fixes that are still in progress, involving multiple\norganizations outside the CSIRC.\nPrevention Responsibilities \xe2\x80\x93 The CSIRC effectively performs its prevention responsibilities.\nFor example, the CSIRC timely notifies MITS\xe2\x80\x99s Enterprise Operations and Security Risk\nManagement functions when software patch notifications are received from vendors.\nFurthermore, the CSIRC has effective controls in place to ensure that security alerts, bulletins,\nand advisories are issued timely in order to help prevent computer security incidents. The\nCSIRC also performs outreach and awareness to IRS business units, with a presentation entitled\nThe Cyber Threat. This awareness presentation includes common misconceptions about\ncyberthreats, the cost of inadequate security, key vulnerabilities, and the kinds of cyberthreats\ntargeting the IRS. Lastly, the CSIRC coordinates with other MITS functions in the preparation\nand posting of informational security articles on the IRS\xe2\x80\x99s Intranet to ensure widespread\ndistribution.\nTools, Training, and Qualifications \xe2\x80\x93 The CSIRC also has sufficient tools and training to\naccomplish its mission. The CSIRC budget has more than doubled in the last three fiscal years,\nfrom $11.6 million in 2009 to $30.1 million in 2011. This increase in funds has allowed the\nCSIRC to procure additional equipment and analytical software to monitor and protect the IRS\nnetwork. Equipment purchases alone increased from $32,927 in 2009 to $593,452 in 2010. The\ntraining records of CSIRC employees and contractors indicate they are provided adequate\ntraining to remain current in the rapidly changing field of cybersecurity. Training courses cover\n\n\n4\n Department of the Treasury, Treasury Directive Policy 85-01, Department of the Treasury Incident Response\nGuidelines and Procedures (Jan. 29, 2008).\n                                                                                                        Page 4\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\ntopics such as security risk assessment and web security, software-specific certifications, and\noperating system administration. These resources allow the CSIRC to accomplish the services\ndescribed above.\nIn addition to adequate tools and training, CSIRC employees and contractors have the required\nqualifications for their positions including a combination of appropriate experience, education,\nand specialized technical certifications to fulfill CSIRC roles. At the time of our review, CSIRC\nstaff consisted of 31 Federal employees and 23 contractors who run the CSIRC 24 hours a day\nthroughout the year, including weekends, at two different locations. CSIRC employees have\nadvanced information technology degrees or extensive experience in computer and network\nsecurity. Lastly, the IRS completed background checks for all CSIRC employees and\ncontractors.\nAlthough the CSIRC is effectively performing most of its prevention, detection, and responding\nresponsibilities, we found some areas where improvements could be made to further protect the\nIRS network and data.\n\nThe Computer Security Incident Response Center Does Not\nAdminister and Monitor the Host-Based Intrusion Detection System\nfor All Deployed Servers\nThe CSIRC is required to detect security incidents and attacks against the IRS network by\nmonitoring the HIDS software installed on servers. To accomplish this function, the CSIRC\nrelies on system administrators to follow IRS procedures that require them to install and maintain\nHIDS software on all servers connected to the network. However, the CSIRC has not\nestablished an automated internal control to identify servers that are connected to the IRS\nnetwork without the protection of a HIDS.\nWe found a significant number of servers deployed throughout the IRS that were operating\nwithout a HIDS installed. System administrators working in the MITS organization, which\nincludes the Enterprise Operations, Enterprise Networks, and Applications Development\nfunctions, maintain most of these servers. However, this weakness also exists in other major IRS\nbusiness units that maintain their own information technology infrastructure. Table 1 shows the\nnumber and percentage of active servers deployed on the IRS network that were operating\nwithout a functioning HIDS.\n\n\n\n\n                                                                                           Page 5\n\x0c                The Computer Security Incident Response Center Is Effectively\n               Performing Most of Its Responsibilities, but Further Improvements\n                                         Are Needed\n\n\n\n                Table 1: Deployed IRS Servers Operating Without a HIDS\n\n                                    Deployed Servers\n                                      That Should            Deployed Servers\n                                     Be Monitored               Operating               Percent Not\n         Business Unit               by the CSIRC            Without a HIDS             Monitored\n   MITS                                     6,799                    1,898                   28%\n   Criminal Investigation                     766                      766                  100%\n   Research, Analysis, and\n                                              135                       58                   43%\n   Statistics\n   Chief Counsel                              434                       58                   13%\n   Totals                                   8,136                    2,780                  34%\n   Source: TIGTA reconciliation of the IRS server database inventory and the HIDS monitoring system.\n\nIncluded in the MITS numbers above, we also found HIDS software was not installed or\nfunctioning on 615 (29 percent) of the 2,147 servers that the IRS deployed in a virtualized\nenvironment.\nCriminal Investigation servers are not protected by the HIDS. CSIRC officials are currently\ndiscussing with Criminal Investigation officials the possibility of allowing HIDS installation on\nthe Criminal Investigation servers. For other functions, IRS officials provided several reasons\nwhy these servers were operating without the HIDS software.\n   \xef\x82\xb7   The servers were offline for maintenance on the day we conducted our test. However,\n       the system administrators were unable to provide support for this explanation.\n   \xef\x82\xb7   The servers were retired, but the system administrators did not update the IRS asset\n       management and inventory system. System administrators were also unable to provide\n       support for this explanation.\n   \xef\x82\xb7   The servers were in \xe2\x80\x9cbuild\xe2\x80\x9d status and, therefore, were not required to have HIDS\n       software installed. However, we found no HIDS exemption in IRS procedures for the\n       \xe2\x80\x9cbuild\xe2\x80\x9d servers and believe these servers still pose risks if not monitored and protected\n       while on the network.\n   \xef\x82\xb7   System administrators were unaware that the HIDS was not functioning on the servers.\n   \xef\x82\xb7   HIDS software was installed subsequent to our test or the HIDS is scheduled to be\n       installed. CSIRC officials corroborated this last explanation by stating that after we\n       forwarded identification data for the above servers to system administrators, the CSIRC\xe2\x80\x99s\n\n\n                                                                                                       Page 6\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n       HIDS technical team noticed a significant increase in the number of servers actively\n       monitored by the HIDS monitoring system.\nA lack of coordination between the CSIRC and system administrators contributed to the\nsignificant number of servers operating without a HIDS. CSIRC officials told us their\nresponsibility is to monitor the HIDS, and system administrators are responsible for installing\nand maintaining the HIDS. The CSIRC made no attempt to reconcile the active servers\nconnected to the network with the servers the HIDS technical team monitors. However, CSIRC\nofficials told us they are planning to enhance their Cybersecurity Data Warehouse to\nsystemically collect and correlate active server data with data from the HIDS monitoring system.\nThis enhancement would accomplish a reconciliation such as the one we performed and identify\nservers operating without a HIDS. Without adequate monitoring of IRS servers, the CSIRC may\nnot timely detect malicious activity or cybersecurity incidents.\n\nRecommendation\nRecommendation 1: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe CSIRC to:\n   a) Develop its Cybersecurity Data Warehouse capability to correlate and reconcile active\n      servers connected to the IRS network with servers monitored by the HIDS.\n   b) Report servers that are repeatedly found operating without a HIDS to the applicable\n      system administrators for corrective action.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. To develop\n       the recommended HIDS correlation, reconciliation, and reporting processes, the Assistant\n       Chief Information Officer, Cybersecurity, will 1) identify impacted IRS organizations;\n       2) identify applications and tools needed to provide information technology asset\n       information, with their varying implementation dates, since the Cybersecurity Data\n       Warehouse is not a repository of information technology asset information; and 3) initiate\n       a stakeholder meeting to launch actions. The IRS will complete these actions by the end\n       of Calendar Year 2012.\n       Office of Audit Comment: The IRS\xe2\x80\x99s proposed corrective actions do not address our\n       recommendation. Specifically, the IRS did not include a commitment to implement the\n       controls we recommended. After we issued the draft report, CSIRC officials informed us\n       they intend to implement the controls but their dependence on another MITS function to\n       develop an asset management system prevented the CSIRC from estimating an\n       implementation date before the end of the calendar year. Without a control to identify\n       and resolve servers operating without a HIDS, the IRS cannot monitor for malicious\n       activity or cybersecurity incidents across its server environment.\n\n\n                                                                                          Page 7\n\x0c                    The Computer Security Incident Response Center Is Effectively\n                   Performing Most of Its Responsibilities, but Further Improvements\n                                             Are Needed\n\n\n\nThe Computer Security Incident Response Center Is Not Reporting All\nComputer Security Incidents to the Department of the Treasury\nThe Department of the Treasury requires5 the CSIRC to report the computer security incidents\nand events to the Treasury CSIRC for its analysis. Table 2 presents the incident category type\nand name, a description of the category, and the required reporting time period.\n                  Table 2: Computer Security Incident and Event Categories\n\n                                                                                                  REPORTING\n    CATEGORY               NAME                         DESCRIPTION                              TIME PERIOD\n\n                                           An individual gains logical or physical access\n                                           without permission to a Federal agency\n                                                                                                Within one hour of\n        CAT 1           Unauthorized       network, system, application, data, or other\n                                                                                                discovery/detection.\n                       Access/Physical     resource, including the physical loss of assets\n                            Loss           and Personally Identifiable Information.\n\n                                           An attack that successfully prevents or impairs\n                                                                                                Within two hours of\n                                           the normal authorized functionality of\n                                                                                                discovery/detection\n                                           networks, systems, or applications by\n        CAT 2          Denial of Service                                                        regardless of the\n                                           exhausting resources. This activity includes\n                                                                                                mitigation status of the\n                                           being the victim or participating in the denial of\n                                                                                                attack.\n                                           service.\n\n                                           Successful installation of malicious software        Within one hour of\n                                           (e.g., virus, worm, spyware, bots, Trojan horse,     discovery/detection if\n        CAT 3          Malicious Code      or other code-based malicious entity) that is not    widespread across\n                                           quarantined and infects or affects an operating      agency; otherwise,\n                                           system or application.                               within 24 hours.\n\n                                                                                                Within one week of\n                                           A person violates acceptable computing use\n        CAT 4          Improper Usage                                                           discovery/detection of\n                                           policies.\n                                                                                                the incident.\n\n                                           Activity that seeks to access or identify a\n                        Scans/Probes                                                       Monthly or as activity\n        CAT 5                              Federal agency computer, open ports, protocols,\n                      Attempted Access                                                     is discovered.\n                                           service, or any combination for later exploit.\n\n                                           Unconfirmed incidents under investigation that\n        CAT 6            Investigation     are potentially malicious or anomalous activity      No set time period.\n                                           deemed to warrant further review.\nSource: Department of the Treasury Incident Reporting Guidelines and Procedures, Final Draft (May 15, 2011).\n\n\n\n\n5\n    Treasury Directive TD P 85-01 Appendix G p. 13 (Jan. 29, 2008).\n                                                                                                               Page 8\n\x0c                  The Computer Security Incident Response Center Is Effectively\n                 Performing Most of Its Responsibilities, but Further Improvements\n                                           Are Needed\n\n\n\nThe CSIRC effectively reports the above security incidents and events when it is aware of them.\nHowever, in Calendar Year 2010, the TIGTA Office of Investigations detected 84 computer\nsecurity incidents that were never forwarded to the CSIRC for reporting to the Treasury CSIRC.\nSixty-five of these incidents were Internet and e-mail abuses (Category 4), 14 were misuse of\nGovernment computers or software violations not involving the Internet or e-mail (Category 4),\nand five were intrusion or sabotage incidents (Category 5).6 Since the CSIRC was not aware of\nthese incidents, it could neither investigate nor report them to the Treasury CSIRC.\nWe reported this same weakness in 20097 and noted the TIGTA Office of Investigations was\nsharing only the incidents categorized as Loss or Theft of Information Technology Assets, which\nomitted several reportable incident categories. At that time, we recommended the CSIRC\ncollaborate with the TIGTA Office of Investigations to revise the Memorandum of\nUnderstanding between the two organizations.\nSince we first reported this weakness, the CSIRC granted the TIGTA Office of Investigations\nfull access to the CSIRC incident tracking system. However, the TIGTA Office of Investigations\ncould not reciprocate due to its need to protect the confidentiality of sensitive investigative\ninformation in its own security incident tracking system. Therefore, the CSIRC still had a\ncritical need to update the Memorandum of Understanding to define security incident referral\ncriteria and ensure the TIGTA Office of Investigations is sharing all computer security incidents\nit detects during its ongoing IRS investigations and monitoring programs. However, the CSIRC\ndid not coordinate with the TIGTA Office of Investigations to define and expand the referral\ncriteria in the Memorandum of Understanding.\nThe Memorandum of Understanding was not updated because the CSIRC deferred this task to\nthe Office of Privacy, Information Protection, and Data Security. However, that office stopped\nrevising the Memorandum after determining its own incident tracking system, currently under\ndevelopment, would satisfy its needs. After the Office of Privacy, Information Protection, and\nData Security determined it had no need for a revision to the Memorandum, CSIRC officials did\nnot resume their work to revise the Memorandum.\nIn addition to not revising the Memorandum of Understanding to improve security incident\nsharing, an ineffective control in the CSIRC contributed to the CSIRC not reporting all incidents\nto the Treasury CSIRC. The CSIRC did not always reconcile its incident tracking system with\nthe TIGTA Office of Investigations\xe2\x80\x99 tracking system to ensure the lone category of incidents that\nwas shared, Loss or Theft of Information Technology Asset, was accounted for in the CSIRC\xe2\x80\x99s\nincident tracking system and reported to the Treasury CSIRC. Our reconciliation between the\nTIGTA Office of Investigations\xe2\x80\x99 system and the CSIRC\xe2\x80\x99s incident tracking system determined\n\n\n6\n  At the end of our fieldwork, CSIRC officials told us they are no longer required to report Category 5 incidents to\nthe Treasury CSIRC.\n7\n  TIGTA, Ref. No. 2009-20-120, Significant Improvements Have Been Made to Protect Sensitive Data on Laptop\nComputers and Other Portable Electronic Media Devices (Aug. 2009).\n                                                                                                              Page 9\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\nthe CSIRC did not account for 37 (12 percent) of 320 Loss or Theft of Information Technology\nAsset incidents that the TIGTA Office of Investigations maintained in its tracking system.\nIn response to our August 2009 report, CSIRC officials stated they were considering two\ncorrective actions to improve their reconciliation process. One improvement was to develop\ncommon identifiers to help reconcile the CSIRC\xe2\x80\x99s incident tracking system with the TIGTA\nOffice of Investigations\xe2\x80\x99 system. The second improvement was to designate the CSIRC as the\ncentral point of contact in order to reduce employee burden for making three separate contacts\n(manager, TIGTA Office of Investigations, and CSIRC) when a loss or theft incident occurs.\nHowever, the CSIRC did not implement either of these corrective actions that would have\nimproved the reconciliation process.\nWithout an effective reconciliation process, the CSIRC does not have reasonable assurance it is\nfully meeting the Department of the Treasury\xe2\x80\x99s incident reporting requirements. In addition, the\nCSIRC\xe2\x80\x99s timely response to Loss or Theft of Information Technology Asset incidents is critical\nto prevent further loss of data and damage to IRS systems. Specifically, the CSIRC must\ndetermine whether the device contained Personally Identifiable Information or other sensitive\ndata. In some cases, the CSIRC may need to remove the user\xe2\x80\x99s remote access account to the IRS\nnetwork, disable network identification cards, or take other immediate action to protect the IRS\nnetwork and data.\n\nRecommendations\nThe Assistant Chief Information Officer, Cybersecurity, should direct the CSIRC to:\nRecommendation 2: Revise and expand the Memorandum of Understanding to require the\nTIGTA Office of Investigations to refer all reportable and relevant computer security incidents to\nthe CSIRC except for those incidents that cannot be shared due to privacy or legal concerns.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation.\n       Cybersecurity will revise and expand the Memorandum of Understanding to require the\n       TIGTA Office of Investigations to refer all reportable and relevant computer security\n       incidents to the CSIRC.\nRecommendation 3: Collaborate with the TIGTA Office of Investigations to develop and use\ncommon identifiers to facilitate the reconciliation of the CSIRC\xe2\x80\x99s incident tracking system to the\nTIGTA Office of Investigations\xe2\x80\x99 tracking system.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Collaborative\n       action is underway with the TIGTA Office of Investigations to develop and use common\n       identifiers to facilitate reconciliation of CSIRC\xe2\x80\x99s incident tracking system with the\n       TIGTA Office of Investigations\xe2\x80\x99 tracking system.\n\n\n\n                                                                                          Page 10\n\x0c                 The Computer Security Incident Response Center Is Effectively\n                Performing Most of Its Responsibilities, but Further Improvements\n                                          Are Needed\n\n\n\nThe Computer Security Incident Response Center Has Not Developed\nAdequate Policies, Plans, and Procedures\nThe first step in establishing any program is the creation of policies and plans to implement these\npolicies. The Department of the Treasury Incident Response Guidelines and Procedures8 require\nthe IRS to implement the security requirements and controls outlined in the NIST Special\nPublication 800-53,9 which provides the elements that should be included in a bureau\xe2\x80\x99s incident\nresponse policy and plan. Furthermore, the Department of the Treasury also requires agencies to\nhave \xe2\x80\x9cformal, documented procedures to facilitate the implementation of the incident response\npolicy and associated incident response controls.\xe2\x80\x9d The CSIRC, however, has not prioritized its\npolicies, plans, and procedures and has questioned whether following the NIST\nrecommendations to develop this guidance would improve security.\n\nThe Internal Revenue Manual lacks key incident response policy details\nThe CSIRC has not maintained and updated its incident response policy. CSIRC officials told us\nthat their incident response policy is included in the IRS\xe2\x80\x99s Internal Revenue Manual (IRM) and\nthat the IRM provides adequate policy guidance. However, the IRM does not provide some of\nthe key policy details recommended by the NIST and therefore required by the Department of\nthe Treasury. The IRM lacks information about organizational structure and coordination among\norganizational entities; delineation of roles, responsibilities, and levels of authority; and\ncompliance with the policy. The policy in the IRM is high level and does not contain detailed\ninformation, such as performance measures recommended by the NIST to help organizations\nimprove their incident response capabilities.10 Furthermore, the IRM is out of date. For\nexample, the new Office of Privacy, Information Protection, and Data Security assists CSIRC in\nreporting incidents involving Personally Identifiable Information to the Treasury CSIRC;\nhowever, the IRM does not provide information about these critical responsibilities. The IRM\nalso states that the CSIRC has responsibility for conducting vulnerability assessments and\nnetwork scanning but, as stated previously, the Security Risk Management function now\nperforms these activities.\nCSIRC officials told us their main priority is their mission to identify and eradicate cyberthreats\n24 hours a day. However, we believe the IRS should follow the NIST recommendations, and\nestablishing and maintaining a current and complete incident response policy will provide the\nprogram with clear direction and will assist the CSIRC with maturing its incident response\ncapability.\n\n\n\n8\n  Treasury Directive TD P 85-01 Appendix G p. 11 (Jan. 29, 2008).\n9\n  NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and\nOrganizations, Revision 3, at pp. F-61 to F-65 (Aug. 2009).\n10\n   NIST Special Publication 800-61, Computer Security Incident Handling Guide pp. 2-3 to 2-4 (Mar. 2008).\n                                                                                                       Page 11\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\nRecommendation\nRecommendation 4: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe CSIRC to develop a standalone incident response policy or update the IRM for currency and\naccuracy, including the NIST recommended elements that the Department of the Treasury policy\nrequires.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Assistant Chief Information Officer, Cybersecurity, is updating IRM 10.8.1 to include\n       NIST guidance and Department of the Treasury requirements, as deemed appropriate.\n\nThe CSIRC has not developed an incident response plan\nThe CSIRC also has not developed a standalone incident response plan as recommended by the\nNIST and required by the Department of the Treasury. The NIST states,\n       \xe2\x80\xa6it is important that organizations have a formal, focused, and coordinated approach to\n       responding to incidents. To effectively implement such a capability, an organization\n       should have an incident response plan. The plan should provide a high-level approach\n       for how the incident response capability fits into the overall organization and should lay\n       out the resources and management support that is needed to effectively maintain and\n       mature an incident response capability.\nThe CSIRC said its plan is contained within its standard operating procedures, but we\ndetermined the CSIRC\xe2\x80\x99s standard operating procedures lack any coherence or organization\nthat would resemble an incident response plan and the standard operating procedures do not\nsatisfy the NIST recommended elements for a plan. For example, the standard operating\nprocedures do not describe the structure and organization of the incident response capability, nor\ndo they provide a description of how this capability fits into the overall organization. The NIST\nalso recommends that organizations review and approve their incident response plan. The\nCSIRC standard operating procedures have received no such review.\nAs stated previously, the CSIRC has not prioritized planning. We believe the IRS should\ncomply with the Department of the Treasury requirement that bureaus implement the NIST\nrecommended elements for incident response plans.\n\nRecommendation\nRecommendation 5: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe CSIRC to develop a standalone incident response plan that includes the elements\nrecommended by the NIST.\n\n\n\n\n                                                                                          Page 12\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. CSIRC\n       actions are underway to update standard operating procedures and formalize an incident\n       response plan to include NIST guidance, as appropriate.\n\nStandard operating procedures are not formalized and are outdated and\nincomplete\nThe CSIRC has not developed adequate standard operating procedures to guide its employees\nand contractors. The standard operating procedures are not formalized, and are neither current\nnor complete. The Department of the Treasury\xe2\x80\x99s \xe2\x80\x9cMinimum Standard Parameters\xe2\x80\x9d require\nstandard operating procedures to be current and complete. The NIST also recommends standard\noperating procedures be tested for accuracy once developed. The CSIRC has not tested its\nstandard operating procedures.\nThe CSIRC\xe2\x80\x99s standard operating procedures include a hodgepodge of electronic files, as follows:\none basic incident response flow chart, 10 different templates that analysts may use to generate\ntickets in the CSIRC\xe2\x80\x99s tracking system, three sample e-mail formats, 29 screenshots of various\nonline guidance ranging from a list of IRS Internet Protocol addresses to firewall administrator\ncontacts, and one narrative standard operating procedure document. The sole narrative\ndocument contains disorganized sections that have not been updated since 2008. We also\ndetermined the single narrative document to be incomplete due to a lack of critical procedure\nguidance, such as how to monitor, manage, and address intrusion detection system information.\nOther examples of missing guidance in the standard operating procedures include: 1) a\nprocedure to explain how the CSIRC and the TIGTA Office of Investigations should work\ntogether to reconcile the cyberincidents in their separate tracking systems, 2) a procedure\nexplaining how incidents must be referred to Labor Relations when Internet misuse is identified,\nand 3) guidance regarding the roles and responsibilities of the CSIRC and other organizations\ninvolved in maintaining the IRS network and data security.\nCSIRC officials agreed with our assessment of their standard operating procedure\ndocumentation. CSIRC managers and analysts said they use an internal Wiki-page format to\nshare information about threats and how to handle particular incidents. Operations analysts told\nus they use the Wiki-pages daily and that the information is easy to access and therefore effective\nfor their purposes. However, the Wiki-pages do not satisfy the NIST recommendations and the\nDepartment of the Treasury requirements for formal, documented standard operating procedures.\nAny CSIRC employee or contractor can update the Wiki-pages. The procedural information on\nthese pages does not undergo formal managerial review, and it can be inadvertently or\nmaliciously deleted. Finally, the Wiki-pages are not always available to CSIRC analysts. When\nthe site goes down or is otherwise unavailable, CSIRC analysts need the capability to access\nstandard operating procedures so that they may continue to handle computer security incidents.\nAt the beginning of our audit work, CSIRC officials told us they recently hired a technical writer\nto formalize the information on the Wiki-pages into standard operating procedure documents.\n\n                                                                                           Page 13\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\nAs stated previously, planning and procedure documentation is not prioritized at the CSIRC.\nWithout current and complete standard operating procedures that accurately describe how to\nhandle computer security incidents, the CSIRC cannot be sure that employees and contractors\nhave adequate information to appropriately address computer threats in order to protect the IRS\nnetwork and data.\n\nRecommendation\nRecommendation 6: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe CSIRC to develop, update, and formalize all critical standard operating procedures and, once\ncompleted, test these procedures to ensure completeness and accuracy as recommended by the\nNIST.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Action is\n       underway to develop, update, and formalize standard operating procedures, including\n       coordination across the MITS organization.\n\n\n\n\n                                                                                         Page 14\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n                                                                                  Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the effectiveness of the IRS\xe2\x80\x99s CSIRC at\npreventing, detecting, reporting, and responding to computer security incidents targeting IRS\ncomputers and data. To accomplish our objective, we:\nI.     Determined whether the CSIRC has established policies, plans, and procedures as\n       recommended by the NIST and required by the Department of the Treasury by evaluating\n       the IRM, CSIRC policy statements, incident response plans, and standard operating\n       procedures.\nII.    Determined whether the incident response services recommended by the NIST and the\n       Carnegie Mellon Institute are performed by the CSIRC or other IRS organizations. We\n       reviewed lists and descriptions of recommended services and interviewed officials in the\n       CSIRC, Enterprise Operations function, and Security Risk Management function to\n       delineate roles and responsibilities in order to ensure all recommended services are\n       performed by the IRS.\nIII.   Determined whether the CSIRC is effectively performing its responsibilities for\n       preventing, detecting, reporting, and responding to computer security incidents.\n       A. For preventing computer security incidents, we identified outreach programs the\n          CSIRC performed during Fiscal Year 2010 and interviewed CSIRC officials to\n          determine if the CSIRC performed any follow-up actions to evaluate the effectiveness\n          of these programs. We also:\n           1. Interviewed CSIRC officials to review the controls in place that ensure the CSIRC\n              issues timely security alerts, bulletins, and advisories. We verified the CSIRC\n              issued alerts and advisories timely to the appropriate IRS officials.\n           2. Interviewed CSIRC officials to identify controls in place that ensure software\n              patch notifications are distributed to the Enterprise Operations and Security Risk\n              Management functions, and determined whether the CSIRC is distributing patches\n              timely.\n       B. For detecting computer security incidents, we determined whether the CSIRC has an\n          accurate server inventory and interviewed CSIRC officials to determine whether the\n          IRS has developed procedures for notifying the CSIRC of changes that would affect\n          its ability to detect unauthorized access. We also:\n\n\n\n                                                                                          Page 15\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n           1. Evaluated the effectiveness of the Internet usage logs and determined whether the\n              CSIRC reported Internet misuse and improper software downloads to appropriate\n              IRS or TIGTA offices.\n           2. Evaluated the effectiveness of the intrusion detection system operations. We\n              reviewed the adequacy of Network-based Intrusion Detection System devices\n              deployed throughout the IRS network. To evaluate the effectiveness of HIDS\n              operations, we compared the Enterprise Server Database inventory of active\n              deployed servers to the list of servers with HIDS software functioning properly in\n              order to determine how many servers were operating without HIDS.\n       C. For reporting computer security incidents, we evaluated the trending and analysis\n          performed by the CSIRC and determined whether the CSIRC is reporting all security\n          attacks and incidents to the Treasury CSIRC. We also:\n           1. Interviewed Office of Privacy, Information Protection, and Data Security, and\n              TIGTA Office of Investigations officials to determine how computer security\n              incidents are shared and tracked between organizations.\n           2. Determined whether the CSIRC reconciles its incident tracking system with the\n              TIGTA Office of Investigations\xe2\x80\x99 incident tracking system to ensure all known\n              incidents are accounted for and reported. To accomplish this, we used all TIGTA\n              Office of Investigations computer security incident records in Calendar Year 2010\n              and matched them against records in the CSIRC\xe2\x80\x99s incident tracking system.\n       D. For responding to computer security incidents, we determined the CSIRC\xe2\x80\x99s process\n          for handling incidents and determined whether the CSIRC conducted post-mortems,\n          developed lessons learned, and performed recovery operations and other services.\n          We interviewed CSIRC officials and operations analysts to determine whether they\n          follow the Department of the Treasury incident handling guidelines. We also\n          observed CSIRC operations analysts while they handled incidents and mitigated\n          computer threats on site for three business days.\nIV.    Determined whether a lack of resources, qualified staff, or training was affecting the\n       CSIRC mission. We reviewed resumes, technical qualifications, and employment\n       records for all CSIRC employees and contractors and verified background checks were\n       conducted. We interviewed the MITS training coordinator about training received and\n       reviewed training records for all CSIRC personnel. Finally, we reviewed the CSIRC\xe2\x80\x99s\n       budget for the past three fiscal years.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\n\n                                                                                        Page 16\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the NIST standards and related IRM\nguidelines and the processes followed by the CSIRC to protect the IRS network and data. We\nevaluated these controls by conducting interviews and meetings with management and staff,\nobserving operations analysts on site, and reviewing documentation such as standard operating\nprocedures.\n\n\n\n\n                                                                                       Page 17\n\x0c              The Computer Security Incident Response Center Is Effectively\n             Performing Most of Its Responsibilities, but Further Improvements\n                                       Are Needed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nW. Allen Gray, Audit Manager\nCharles O. Ekunwe, Lead Auditor\nGeorge L. Franklin, Senior Auditor\nBret Hunter, Senior Auditor\nJena R. Whitley, Senior Audit Evaluator\nMonique Queen, Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c              The Computer Security Incident Response Center Is Effectively\n             Performing Most of Its Responsibilities, but Further Improvements\n                                       Are Needed\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nChief Counsel CC\nChief, Criminal Investigation SE:CI\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Research, Analysis and Statistics RAS\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nDirector, Statistics of Income RAS:S\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\nDeputy Inspector General for Investigations IG:I\n\n\n\n\n                                                                             Page 19\n\x0c                    The Computer Security Incident Response Center Is Effectively\n                   Performing Most of Its Responsibilities, but Further Improvements\n                                             Are Needed\n\n\n\n                                                                                              Appendix IV\n\n         Computer Security Incident Response Center\n          Lifecycle for Managing Security Incidents\n\n\n\n                         CSIRC Mission and Functions\n        The Computer Security Incident Response Center provides proactive prevention, detection,\n             and response to computer security incidents targeting the IRS\xe2\x80\x99 enterprise IT assets\n\n\n    \xef\x83\x98   Incident Tracking & Referral                                             \xef\x83\x98 Outreach & Awareness\n    \xef\x83\x98   Business Impact Analysis                                                 \xef\x83\x98 Security Notification\n    \xef\x83\x98   Trending & Analysis              Reporting       Prevention              \xef\x83\x98 Vulnerability Management\n    \xef\x83\x98   Leadership View                                                            Support\n    \xef\x83\x98   Cyber Daily                                                              \xef\x83\x98 Infrastructure Security Device\n    \xef\x83\x98   Treasury CSIRC/GSOC                                                        Operations and Management\n    \xef\x83\x98   US-CERT\n    \xef\x83\x98   TIGTA\n                                                   Incident\n                                                 Management\n                                                  Lifecycle\n\n    \xef\x83\x98   Event Triage                                                             \xef\x83\x98 Infrastructure Security\n    \xef\x83\x98   Mitigation/Remediation                                                   \xef\x83\x98 Firewall Logs\n    \xef\x83\x98   Forensic Analysis                                                        \xef\x83\x98 Network- and host-based\n    \xef\x83\x98   Recovery                         Response        Detection                 Intrusion Detection\n    \xef\x83\x98   Follow-up                                                                \xef\x83\x98 Internet Misuse Monitoring\n    \xef\x83\x98   Lessons Learned                                                          \xef\x83\x98 Antivirus\n\n\n                                                                 Internal Revenue Service\n                                                                Information Technology                    2\n     Official Use Only\n\n Source: IRS CSIRC Overview and Status Presentation (September 2010), slide 2. GSOC is the acronym for\nGovernment Security Operations Center, IT is the acronym for Information Technology, and US-CERT is the\nacronym for United States Computer Emergency Readiness Team.\n\n\n\n\n                                                                                                         Page 20\n\x0c                The Computer Security Incident Response Center Is Effectively\n               Performing Most of Its Responsibilities, but Further Improvements\n                                         Are Needed\n\n\n\n                                                                              Appendix V\n\n                            Glossary of Terms\n\n            Term                                        Definition\nCampus                        The data processing arm of the IRS. The campuses process\n                              paper and electronic submissions, correct errors, and forward\n                              data to the Computing Centers for analysis and posting to\n                              taxpayer accounts.\nCarnegie Mellon Software      A Federally funded research and development center operated\nEngineering Institute         by Carnegie Mellon University and sponsored by the\n                              Department of Defense.\nConficker Worm                A computer worm targeting operating systems that was first\n                              detected in October 2008. It used flaws in software to\n                              propagate and was unusually difficult to counter because of its\n                              combined use of many advanced malware techniques.\nCyber                         Cyber is often used for \xe2\x80\x9celectronic\xe2\x80\x9d or \xe2\x80\x9ccomputer-related.\xe2\x80\x9d\nExploit Code                  A piece of software or sequence of commands that takes\n                              advantage of a bug, glitch, or vulnerability in order to cause\n                              unintended behavior on computer software or hardware.\n                              Exploit code frequently includes such things as gaining\n                              control of a computer system or allowing privilege escalation\n                              or a denial-of-service attack.\nGrid Card                     One component of the IRS\xe2\x80\x99s two-factor authentication process\n                              to validate remote users on the network.\nHost-Based Intrusion          A host-based intrusion detection system is a type of intrusion\nDetection System              detection system that monitors and analyzes the computing\n                              system as well as (in some cases) the network packets on its\n                              network interfaces.\n\n\n\n\n                                                                                      Page 21\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n            Term                                        Definition\nIncident                     An occurrence that actually or potentially jeopardizes the\n                             confidentiality, integrity, or availability of an information\n                             system or the information the system processes, stores, or\n                             transmits or that constitutes a violation or imminent threat of\n                             violation of security policies, security procedures, or\n                             acceptable use policies.\nIncident Handling            The mitigation of violations of security policies and\n                             recommended practices.\nIncident Response Plan       The documentation of a predetermined set of instructions or\n                             procedures to detect, respond to, and limit consequences of\n                             malicious cyberattacks against an organization\xe2\x80\x99s information\n                             system(s).\nInformation Security         The protection of information and information systems from\n                             unauthorized access, use, disclosure, disruption, modification,\n                             or destruction in order to provide confidentiality, integrity, and\n                             availability.\nInformation Technology       Any equipment or interconnected system or subsystem of\n                             equipment that is used in the automatic acquisition, storage,\n                             manipulation, management, movement, control, display,\n                             switching, interchange, transmission, or reception of data or\n                             information by the executive agency. The term information\n                             technology includes computers, ancillary equipment, software,\n                             firmware and similar procedures, services (including support\n                             services), and related resources.\nInternet Protocol            The Internet Protocol is the principal communications protocol\n                             used for relaying packets of information across the Internet.\n                             Responsible for routing packets across network boundaries, it\n                             is the primary protocol that establishes the Internet.\nIntrusion Detection System   Provides an organization the ability to monitor activity on its\n                             computer network and look for suspicious or unauthorized\n                             actions from both external and internal threats.\n\n\n\n\n                                                                                       Page 22\n\x0c               The Computer Security Incident Response Center Is Effectively\n              Performing Most of Its Responsibilities, but Further Improvements\n                                        Are Needed\n\n\n\n            Term                                             Definition\nMalware                           Malicious code, software, or firmware intended to perform an\n                                  unauthorized process that will have adverse impact on the\n                                  confidentiality, integrity, or availability of an information\n                                  system. A virus, worm, Trojan horse, or other code-based\n                                  entity that infects a host. Spyware and some forms of adware\n                                  are also examples of malicious code.\nNational Institute of Standards   The NIST, under the Department of Commerce, is responsible\nand Technology                    for developing standards and guidelines for providing\n                                  adequate information security for all Federal Government\n                                  agency operations and assets.\nNetwork-Based Intrusion           Devices that are appliance-based components residing on\nDetection System                  specific network environments to monitor traffic originating\n                                  from or destined for protected segments of the network.\nPatch                             Software vendors issue patches to fix flaws that become\n                                  apparent after their software has been released to the public.\nPersonally Identifiable           Personally Identifiable Information includes the personal\nInformation                       information of taxpayers, employees, contractors, and visitors\n                                  to the IRS. Examples include: name, home address, Social\n                                  Security Number, home telephone number, biometric data,\n                                  and other numbers and information that alone or in\n                                  combination with other data can identify an individual.\nRisk                              The level of impact on agency operations (including mission,\n                                  functions, image, or reputation), agency assets, or individuals\n                                  that results from the operation of an information system given\n                                  the potential impact of a threat and the likelihood of that threat\n                                  occurring.\nServer                            A physical computer dedicated to running one or more\n                                  services as a host to serve the needs of users of other\n                                  computers on the network.\nSystem                            A discrete set of information resources organized for the\n                                  collection, processing, maintenance, use, sharing,\n                                  dissemination, or disposition of information. A system\n                                  normally includes hardware, software, information, data,\n                                  applications, communications, and people.\n\n\n                                                                                            Page 23\n\x0c                 The Computer Security Incident Response Center Is Effectively\n                Performing Most of Its Responsibilities, but Further Improvements\n                                          Are Needed\n\n\n\n            Term                                         Definition\nSystem Administrator           A person who manages the technical aspects of a system.\nThreat                         Any circumstance or event with the potential to adversely\n                               impact organizational operations (including mission,\n                               functions, image, or reputation), organizational assets, or\n                               individuals through an information system via unauthorized\n                               access, destruction, disclosure, modification of information, or\n                               denial of service. Also, the potential for a threat-source to\n                               successfully exploit an information system vulnerability.\nVirus                          A piece of programming code usually disguised as something\n                               else that causes some unexpected and, for the victim, usually\n                               undesirable event and which is often designed to automatically\n                               spread to other computer users.\nVulnerability                  Weakness in an information system, system security\n                               procedures, internal controls, or implementation that could be\n                               exploited or triggered by a threat source.\nWiki-Page                      Website allowing creation and editing of any number of\n                               interlinked web pages used collaboratively by multiple users.\n\n\n\n\n                                                                                       Page 24\n\x0c    The Computer Security Incident Response Center Is Effectively\n   Performing Most of Its Responsibilities, but Further Improvements\n                             Are Needed\n\n\n\n                                                      Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                             Page 25\n\x0c The Computer Security Incident Response Center Is Effectively\nPerforming Most of Its Responsibilities, but Further Improvements\n                          Are Needed\n\n\n\n\n                                                          Page 26\n\x0c The Computer Security Incident Response Center Is Effectively\nPerforming Most of Its Responsibilities, but Further Improvements\n                          Are Needed\n\n\n\n\n                                                          Page 27\n\x0c The Computer Security Incident Response Center Is Effectively\nPerforming Most of Its Responsibilities, but Further Improvements\n                          Are Needed\n\n\n\n\n                                                          Page 28\n\x0c'